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Requirements 

□ Requirement # 2009-0247 

0 Provide persistence (DarkMatter), process and file hiding (SeaPea), and a 
beacon (NightSkies), integrated onto a MacBook Air with current Mac OSX 

0 NightSkies shall support the Macbook Air using Mac OSX 10.5.x 

0 NightSkies shall be compatible with DarkMatter persistence and kernel 
patching tool 

0 DarkMatter shall have the capability to disable itself after a configurable 
amount of time 

0 DarkMatter shall have the capability of removing its payload from the EFI of 
the MacBook Air 

0 NightSkies shall be compatible with SeaPea rootkit 

0 NightSkies shall support the following implant features: 

□ Beaconing to a listening post (LP) 

0 Command receipt and execution from a LP 

0 File transfer to and from the LP 

□ Program file execution on the MacBook Air 

□ Delay after browser starts to beacon 

0 The tool shall be packaged manually, according to the parameters to be 
provided by COG 
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Concep t of Operations 
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Capabilities and Limitations 

0 Supported Target: 

□ MacBook Air 1,1 

□ Mac OSX 10.5.2-6 

□ MBA11.00BB.B03 

0 Requires physical access for installation 
0 Persists in EFI firmware (cannot persist over firmware update) 

□ Delayed operation 

0 Self-delete to avoid forensic examination 
0 Delivers SeaPea: Mac OSX kernel-space implant 

0 Provides privileged execution 
0 Hides user-space implants 

□ Delivers NightSkies : Mac OSX user-space implant 

0 Beacon + Command & Control 

0 Masquerades as standard HTTP protocol for communications 
0 Uses XXTEA block encryption to provide secure communications 

□ Hidden & encrypted configuration stored in NVRAM variable 
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IV&V Overview 

H DarkSeaSkies was tested in accordance with the 
provided User Requirements (2009-0247). 

0 The test environment consisted of the following 
hardware : 

H MacBook Air with the most recent BIOS (MBA11.00BB.B03) 

0 The test environment consisted of the following 
software: 

0 OSX versions 10.5.2 through 10.5.6 

0 Thumb drive successfully installs DarkMatter to the EFI 
and proceeds to launch the SeaPea rootkit with the 
Nightskies payload. 

0 DarkSeaSkies was able to survive continuous reboots, 
upgrades of the OS, and clean installs of the OS. 
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IV&V Overview (cont.) 

□ Nightskies beacons to the LP after the tool reaches its 
beacon interval and then Safari or Firefox surfs to a 
web page. Then it; received files, sent files, and 
executed files on the target based on the Listening Post 
(LP) instructions 

□ Nightskies, it’s files, and it’s processes are hidden from 
users and from root. 

□ DarkSeaSkies removed itself automatically when 
several conditions were met: 

] When the target had not been able to reach the LP for 180 
days. 

0 When it booted to another OS five times in a row. 

0 If it had a kernel panic three times in a row. 

0 If the nvram status variable was set to either a 1 or a 5. 
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IV&V Overview (cont.) 

□ DarkSeaSkies removed itself from the EFI and 
memory after it removal commands had been 
performed. 

□ The only thing left on the EFI after removal are two values 
status and count. Even though they are in a deleted state 
they are still able to be seen until they’re overwritten with 
new data. 
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IV&V Findings 
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IV&V Observations 


□ Install Time - From the target system powered of the tool 
can be installed in less than 29 seconds. It takes roughly 23 
seconds to get to where you can choose the thumb drive as 
the boot device and 6 seconds for the tool to install and 
power off the machine. 

0 Clock Considerations - if the target. . . 

0 Advances the clock by 180 days then the tool will un- 
install. 

0 Sets the clock back by (x) amount of time then the tool 
will not beacon again for (x) amount of time. 
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Produc t Support 

0 Operator Training 

0 Operators will be trained at their convenience. 

0 Tool and Project Documentation 

0 DarkSeaSkies 1.0 CONOP_Rev New_2009-01-26.doc 

0 DarkSeaSkies 1.0 URD_Rev New_2009-01-26.doc 

0 DarkSeaSkies 1.0 User Manual_Rev New_2009-01-26.doc 

0 DarkSeaSkies vl.0_Test Plan Procedures_Rev New_2009-01- 
26.doc 

0 DarkSeaSkies vl.O TDR_Rev New_2009-01-26.ppt 

□ UserGuide_SeaPea_2_0.pdf 

□ Night Skies vl.lTest Plan and Test Procedures.doc 
0 NightSkies vl.l CONOPS.doc 

0 NightSkies vl.l User Requirements Document.doc 
0 NightSkies vl.2 User Guide 
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Certification 

0 Discussion and Decision 
0 Recap of Assigned Actions 
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